TCP/IP stack fingerprinting: Difference between revisions

Certain parameters within the [[TCP protocol]] definition are left up to the implementation.  Different operating systems, and different versions of the same operating system, set different defaults for these values.  By collecting and examining these values, one may differentiate among various operating systems, and implementations of TCP/IP.<ref>[{{cite web|url=http://project.honeynet.org/papers/finger/ |title=Know Your Enemy: Passive Fingerprinting] |publisher=Project.honeynet.org |date= |accessdate=2011-11-25}}</ref> The TCP/IP fields that may vary

These values may be combined to form a 67-bit signature, or fingerprint, for the target machine.<ref>Chuvakin A. and Peikari, C: "Security Warrior.", page 229. O'Reilly Media Inc., 2004.</ref> Just inspecting the Initial TTL and window size fields is often enough in order to successfully identify an operating system, which eases the task of performing manual OS fingerprinting.<ref>[{{cite web|url=http://www.netresec.com/?page=Blog&month=2011-11&post=Passive-OS-Fingerprinting |title=Passive OS Fingerprinting, NETRESEC Network Security Blog] |publisher=Netresec.com |date=2011-11-05 |accessdate=2011-11-25}}</ref>.

Protection against all types of TCP/IP fingerprinting is achieved through TCP/IP fingerprint obfuscators. Also known as fingerprint scrubbing, tools exist for [[MS Windows]],<ref>[{{cite web|url=http://www.irongeek.com/i.php?page=security/osfuscate-change-your-windows-os-tcp-ip-fingerprint-to-confuse-p0f-networkminer-ettercap-nmap-and-other-os-detection-tools |title=OSfuscate] |publisher=Irongeek.com |date=2008-09-30 |accessdate=2011-11-25}}</ref> [[Linux]],<ref>[{{cite web|author=Carl-Daniel Hailfinger, carldani@4100XCDT |url=http://ippersonality.sourceforge.net/ |title=IPPersonality] |publisher=Ippersonality.sourceforge.net |date= |accessdate=2011-11-25}}</ref> [[FreeBSD]],<ref>[{{cite web|url=http://www.usenix.org/events/sec00/full_papers/smart/smart_html/index.html |title=Defeating TCP/IP stack fingerprinting] |publisher=Usenix.org |date=2002-01-29 |accessdate=2011-11-25}}</ref> and likely others.

Moreover, protection against active fingerprinting attempts is achieved by limiting the type and amount of traffic a system responds to. Examples include the following: blocking of all unnecessary outgoing [[Internet Control Message Protocol|ICMP]] traffic, especially unusual packet types like address masks and timestamps. Also, blocking of any [[ICMP Echo Reply|ICMP echo replies]]. Be warned that blocking things without knowing exactly what they are for can very well lead to a broken network; for instance, your network could become a [[Black hole (networking)|black hole]]. Alternatively, active fingerprinting tools themselves have fingerprints that can be detected.<ref>[{{cite web|url=http://ojnk.sourceforge.net/stuff/iplog.readme |title=iplog] |date= |accessdate=2011-11-25}}</ref>

Defeating TCP/IP fingerprinting may provide limited protection from potential attackers who employ a [[vulnerability scanner]] to select machines of a specific target OS. However, a determined adversary may simply try a series of different attacks until one is successful.<ref>{{cite web|url=http://seclists.org/pen-test/2007/Sep/0030.html |title=OS detection not key to penetration |publisher=Seclists.org |date= |accessdate=2011-11-25}}</ref>

* [[PacketFence]]<ref>[{{cite web|url=http://www.packetfence.org/ |title=PacketFence] |publisher=PacketFence |date=2011-11-21 |accessdate=2011-11-25}}</ref> - open source [[Network Access Control|NAC]] with passive DHCP fingerprinting.